Information Flow Tracking for Linux Handling Concurrent System Calls and Shared Memory

Georget, Laurent; Jaume, Mathieu; Piolle, Guillaume; Tronel, Frédéric; Tông, Valérie Viêt Triêm

doi:10.1007/978-3-319-66197-1_1

Cited by 4 publications

(5 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These methods can be applied using commercial off-the-shelf kernel logging frameworks, such as auditd [4] or event tracing windows [3], which allow the logging of system calls. Some works propose the alternative instrumentation of the kernel with an optimized design that includes security considerations [34], [7], [40]; other approaches couple the IFT with tag propagation policies [22] [18]. Tag propagationbased policies can be coupled to access control policies or attack detection policies; these may make it possible to achieve a finer-grained causality tracking.…”

Section: State Of the Artmentioning

confidence: 99%

“…1) Information Flow Monitoring inside Kernel Space: Although information flows can be deduced from system call monitoring [17], [31], considerable work has been performed to instrument the Linux kernel by leveraging the Linux Security Module framework and netfilter modules to enable a finergrained observation of information flows produced by system call invocations [39], [42], [40]. In particular, RfBlare [18] proposes a solution to handle information flow monitoring evasions that leverage race conditions among system calls. In [7], the authors propose the insertion of new dedicated hooks to record information flows into the provenance model.…”

Section: A Computing An Approximation Of Causal Dependencies Among Amentioning

confidence: 99%

See 1 more Smart Citation

Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events

Xosanavongsa

Totel

Bettan

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

In order to supervise the security of a large infrastructure, the administrator deploys multiple sensors and intrusion detection systems on several critical places in the system. It is easier to explain and detect attacks if more events are logged. Starting from a suspicious event (appearing as a log entry), the administrator can start his investigation by manually building the set of previous events that are linked to this event of interest. Accordingly, the administrator attempts to identify links among the logged events in order to retrieve those that correspond to the traces of the attacker's actions in the supervised system; previous work is aimed at building these connections. In practice, however, this type of link is not trivial to define and discover. Hence, there is a real necessity to describe and define formally the semantics of these links in literature. In this paper, a clear definition of this relationship, called contextual event causal dependency, is introduced and proposed. The work presented in this paper aims at defining a formal model that would ideally unify previous work on causal dependencies among heterogeneous events. We define a relationship among events that enables the discovery of all events, which can be considered as the cause (in the past) or the effect (in the future) of an event of interest (e.g., an indicator of compromise, produced by an attacker action). This model is gradually introduced and defined by merging two previously defined causality models from the distributed system and operating system research areas (i.e., Lamport's and d'Ausbourg's). Our model takes into consideration heterogeneous events that emanate from different abstraction layers (e.g., network, system, and application) with the main objective of formally defining a causal relationship among logged events. Thereafter, we show how existing implementations separately allow the computation of parts of the model. Finally, we describe the implementation and assessment of the model according to real attacks on distributed environments and its accuracy to extract all causally linked events related to a given attack event trace.

show abstract

Section: State Of the Artmentioning

confidence: 99%

Section: A Computing An Approximation Of Causal Dependencies Among Amentioning

confidence: 99%

Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events

Xosanavongsa

Totel

Bettan

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…These structures expose attributes of the underlying kernel objects they represent (e.g., inode, process, shared memory), 1 # d e f i n e KERNEL_QUERY 2 # i n c l u d e " i n c l u d e / camquery . h " r e t u r n 0 ; 32 } 33 34 QUERY_NAME ( "My Example Query " ) ; 35 QUERY_DESCRIPTION ( " An example q u e r y " ) ; 36 QUERY_AUTHOR ( " John Doe " ) ; 37 QUERY_VERSION ( " 0 . 1 " ) ; 38 QUERY_LICSENSE ( " GPL " ) ; 39 r e g i s t e r _ q u e r y ( i n i t , i n _ e d g e , o u t _ e d g e ) ;…”

Section: Camquery Apimentioning

confidence: 99%

“…The LSM framework [69] was originally implemented to support Mandatory Access Control (MAC) schemes but not information flow tracking. Recent work by Georget et al [35,36] demonstrated, through static analysis of the kernel code base, that the LSM framework is applicable to information flow tracking, and that by adding a small number of LSM hooks, it was possible to properly intercept all information flows between kernel objects. Building on their work, we maintain a patch [5] to the LSM framework that allows CamFlow, and by extension CamQuery, to provide stronger guarantees than do previous whole-system provenance capture mechanisms.…”

Section: Ensuring Completeness and Accuracymentioning

confidence: 99%

Runtime Analysis of Whole-System Provenance

Pasquier

Han

Moyer

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Identifying the root cause and impact of a system intrusion remains a foundational challenge in computer security. Digital provenance provides a detailed history of the flow of information within a computing system, connecting suspicious events to their root causes. Although existing provenance-based auditing techniques provide value in forensic analysis, they assume that such analysis takes place only retrospectively. Such post-hoc analysis is insufficient for realtime security applications; moreover, even for forensic tasks, prior provenance collection systems exhibited poor performance and scalability, jeopardizing the timeliness of query responses.We present CamQuery, which provides inline, realtime provenance analysis, making it suitable for implementing security applications. CamQuery is a Linux Security Module that offers support for both userspace and in-kernel execution of analysis applications. We demonstrate the applicability of CamQuery to a variety of runtime security applications including data loss prevention, intrusion detection, and regulatory compliance. In evaluation, we demonstrate that CamQuery reduces the latency of realtime query mechanisms, while imposing minimal overheads on system execution. CamQuery thus enables the further deployment of provenance-based technologies to address central challenges in computer security. * Part of this work was completed at Harvard University and at the University of Cambridge.

show abstract

“…Only a limited number of system calls such as read or write have to be modified. To handle tags associated to files, we rely on RFBlare [16]. RFBlare is a modified Linux kernel that implements an OS-level DIFT monitor.…”

Section: Kernel Supportmentioning

confidence: 99%

A small and adaptive coprocessor for information flow tracking in ARM SoCs

Wahab¹,

Cotret²,

Allah³

et al. 2018

2018 International Conference on ReConFigurable Computing and FPGAs (ReConFig)

View full text Add to dashboard Cite

DIFT (Dynamic Information Flow Tracking) has been a hot topic for more than a decade. Unfortunately, existing hardware DIFT approaches have not been widely used neither by research community nor by hardware vendors. It is due to two major reasons: current hardware DIFT solutions lack support for multi-threaded applications and implementations for hardcore processors. This work addresses both issues by introducing an approach with some unique features: DIFT for multi-threaded software, virtual memory protection (rather than physical memory as in related works) and Linux kernel support using an information flow monitor called RFBlare. These goals are accomplished by taking advantage of a notable feature of ARM CoreSight components (context ID) combined with a custom DIFT coprocessor and RFBlare. The communication time overhead, major source of slowdown in total DIFT time overhead, is divided by a factor 3.8 compared to existing solutions with similar software constraints as in this work. The area overhead of this work is lower than 1% and power overhead is 16.2% on a middle-class Xilinx Zynq SoC.

show abstract

Information Flow Tracking for Linux Handling Concurrent System Calls and Shared Memory

Cited by 4 publications

References 11 publications

Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events

Discovering Correlations: A Formal Definition of Causal Dependency Among Heterogeneous Events

Runtime Analysis of Whole-System Provenance

A small and adaptive coprocessor for information flow tracking in ARM SoCs

Contact Info

Product

Resources

About